Link List

Sponsored by..

Tuesday, 31 March 2015

This very convincing looking email pretending to be from RS has a malicious attachment. Although the email looks genuine, it is a simple forgery. RS are not sending out this email, nor have their systems been compromised in any way.

For some reason, the EXE is download from http://185.91.175.64/jsaxo8u/g39b2cx.exe with a CAB extension and then run through EXPAND which.. errr.. does nothing much. The file is saved as %TEMP%\4543543.exe, and it has a VirusTotal detection rate of 3/57.

Analysis is still pending, but the VirusTotal report does indicate the malware phone home to 188.120.225.17 (TheFirst-RU, Russia) which I strongly recommend blocking, check back for more updates later.

UPDATE:
Automated analysis [1][2][3][4] show attempted connections to the following IPs:

Yup - spam e-mail just received. Having just placed a bonafide order from RSC I was expecting an invoice so this particular scam seems to be relying on less-observant purchasers of RS products and whoever it is presumably has access to the RS sales data. RD London